Introduction

Ostensibly, like most published works, you could detail a Certification Package to no end and continue adding more details until the additional details detract from the focus. Part of understanding the package preparation process is knowing when to draw the line in the sand and proclaim that the package is finished. Once you have put together your first C&A package, you will soon come to the realization that you could have gone on forever documenting picayune details to no end. In most cases, how far you should go will be determined by a date on the calendar. C&A on all federal information systems has to be done every three years. If the last C&A on a set of systems resulted in a formal accreditation on April 24, 2004, then the next C&A for that group of systems must be completed by April 24, 2007 that means that an Accreditation letter granting Authority to Operate must be in hand by April 24, 2007 whether you started the project three months earlier or six months earlier.

Structure of Documents

In all the documents that are prepared for the C&A package, I have thus far described the different sections that you should be sure to include. In addition to what I have already suggested you include, each of your documents should have the following sections:

• Introduction

• Purpose

• Scope and Applicability

• References, Requirements, and Authorities

• Record of Changes

Each document in the C&A...